Don’t attempt digital transformation without prioritizing cybersecurity

It becomes more difficult every day for organizations to protect themselves against cyberattacks. As security measures evolve, cyberattacks are also becoming more sophisticated and complex – and, amid the rise of interconnected devices and a reliance on cloud services and third-party vendors, there is a larger attack surface for criminals to target.

A shortage of skilled cybersecurity professionals further exacerbates the problem, as organizations struggle to find and retain talent capable of defending their data and assets against cyberthreats.

The outlook isn’t rosy, either. In the US alone, 2023 represented an all-time high for data breaches, with 3,205 incidents affecting more than 353 million victims – and these numbers are expected to keep climbing. Advances in generative AI exploited by cybercriminals may even increase the frequency of these attacks, too.

Consider a holistic security approach

So, as organizations modernize their operations, it’s essential to start thinking about security right at the beginning of the digital transformation process.

Consider a bank that wants to enhance customer experience with a new app. If functional requirements and coding are not addressed alongside security, potential vulnerabilities in the app may only be identified at the eleventh hour. In contrast to a reactive process, a secure-by-design approach would weave security into the project’s fabric from the very beginning, even as early as the ideation and business requirement phases.

“Secure by design” is not a service or technology; it’s a holistic approach to security, like that of zero trust. It involves asking critical questions about data assets and their sensitivity, and implementing concepts like role-based access control.

It’s a guiding philosophy that applies not only to software development but also to the design of networks, data centers and cloud infrastructure.

The six Cs of cybersecurity

Within this secure-by-design framework, I use the six Cs of cybersecurity to decide where and how to plan a transformation.

1. Cost: maximizing ROI through strategic investments

Budgets are not infinite, so cost is a significant factor in cybersecurity. The return on security investment is a key metric for CISOs who want to optimize their security budgets, so they must make tough choices.

With various investment options available, from firewall upgrades to multifactor authentication, CISOs must strategically choose where to allocate resources to optimize their security posture. They have to quantify the impact of the security investment and weigh it up against the budget. At NTT DATA, we follow a specific methodology to help our clients make the right investment decisions in this regard.

2. Compliance: from technicality to boardroom priority

Compliance is no longer a technical concern; it’s now a board-level discussion. Take, for instance, the Payment Card Industry Data Security Standard (PCI DSS) that governs credit card transactions. Failing to comply not only results in hefty fines but may also cause great reputational damage. At worst, payment-processing corporations can cut ties with your business.

With compliance becoming a fundamental board issue, CISOs must ensure that their organizations adhere to industry standards and regulations to safeguard both their financial interests and their brand reputation.

• ALSO READ → Cybersecurity: the clock is ticking to become NIS2 compliant

3 and 4. Competencies and consolidation: addressing the workforce shortage and vendor overload

The shortage of cybersecurity professionals is a well-known challenge. Competencies are a crucial aspect of cybersecurity – one that is directly associated with consolidation.

Large organizations have multiple security vendors, which creates overwhelming complexity – one NTT DATA client had 200 security vendors. Things get even worse when you’re under attack: all the alerts light up like a Christmas tree while the poor security analyst must decide what to do.

Complexity is an internal enemy. But, by consolidating security controls under a few platform vendors, organizations can simplify their operations, increase automation and reduce costs. With consolidated tools, you need fewer security analysts to keep your environment secure.

5. Cloud: navigating multicloud complexity

It feels like the whole world is moving to cloud. More than 90% of our clients have already moved part of their applications and workloads to cloud environments. Because different workloads run in different clouds, the challenge once again becomes complexity, especially in enforcing a unified corporate security policy across diverse cloud instances.

Multicloud security requires careful consideration and automation so that the management of security policies does not become a nightmare. Organizations need to leverage expertise to navigate the intricacies of securing data spread across cloud platforms. This forms part of the journey to zero trust.

6. Convergence: the nexus of networking and security

Convergence marks the integration of networking and security. The focus is on secure access service edge (SASE), which brings together software-defined wide area networks (SD-WAN) with security service edge (SSE). This convergence involves moving traditional security controls to the cloud.

By unifying their security controls and workloads in the cloud in the safe zone between the internet and the enterprise network, organizations can boost their digital transformation and provide better protection and orchestration through a centralized management interface.

• ALSO READ → SASE: a guide to secure access service edge